From 7b6cf6aadf6a0c67603371c5bcf867cfb254900f Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Tue, 29 Oct 2024 10:13:23 +0100
Subject: [PATCH] Sign images using cosign

---
 .gitlab-ci.yml                    | 12 +++++++++++-
 .gitlab/README.md.template        | 10 ++++++++++
 .gitlab/release-notes.md.template |  2 ++
 README.md                         | 10 ++++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5a86ff3..c06fd98 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -182,7 +182,7 @@ shellcheck:
 .gitlab-opentofu-image:deploy:base:
   stage: deploy
   image:
-    name: gcr.io/go-containerregistry/crane:debug
+    name: alpine/crane:0.20.0
     entrypoint: [""]
   variables:
     GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
@@ -219,8 +219,18 @@ shellcheck:
 
 gitlab-opentofu-image:deploy:
   extends: ['.gitlab-opentofu-image:deploy:base']
+  variables:
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   script:
+    # Install dependencies, can't use before_script because of the job we are extending.
+    - apk add --update cosign
+    # Release image
     - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
+    # Sign image
+    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
     - export image_digest="$(crane digest $RELEASE_IMAGE)"
     - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
   artifacts:
diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index a1ad5a7..7a09bf9 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -328,6 +328,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
diff --git a/.gitlab/release-notes.md.template b/.gitlab/release-notes.md.template
index 36585db..40dedc6 100644
--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -43,6 +43,8 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
 
+The images have been signed with `cosign`.
+
 > **Note:**
 >
 > When using the component with the inputs `version` and `opentofu_version`,<br>
diff --git a/README.md b/README.md
index 1a1eefe..0402b3c 100644
--- a/README.md
+++ b/README.md
@@ -347,6 +347,16 @@ However, we cannot use the alternative `+` which would indicate build metadata
 as we'd like.
 See https://github.com/distribution/distribution/issues/1201*
 
+### Image Signing
+
+Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
+using [`sigstore/cosign`](https://github.com/sigstore/cosign).
+
+Check the following docs to learn more about verifying the signature:
+
+- https://docs.sigstore.dev/cosign/verifying/verify/
+- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+
 ### Using with Renovate
 
 To keep the component versions up to date you could use [Renovate](https://docs.renovatebot.com/).
-- 
GitLab